Cloud Blog: Introducing backup vaults for cyber resilience and simplified Compute Engine backups

Source URL: https://cloud.google.com/blog/products/storage-data-transfer/backup-and-dr-service-adds-immutable-indelible-backups/
Source: Cloud Blog
Title: Introducing backup vaults for cyber resilience and simplified Compute Engine backups

Feedly Summary: Backing up your data has never been more critical. Faced with the unfortunate rise in ransomware attacks, many customers are choosing to add additional protection to make sure their data stays secure. Consequently, there is an increasing emphasis on security and simplicity. On the security front, the prevalence of cyber attacks, whether via ransomware or other means, poses significant financial and reputational risk. Meanwhile, there is strong desire to simplify backup management to increase their agility and reduce operational toil.  
To continue meeting your evolving needs, we’re announcing three major enhancements to the Google Cloud Backup and Disaster Recovery (DR) service, all available in preview: 

The new backup vault storage feature, which delivers immutable (preventing modification) and indelible (preventing deletion) backups, securing your backups against tampering and unauthorized deletion.

A centralized backup management experience, which delivers a fully-managed end-to-end solution, making data protection effortless, and supporting direct integration into resource management flows.

Integration within the Compute Engine VM creation experience, empowering application owners to apply backup policies when VMs are initially created. 

Secure your backups against tampering and unauthorized deletion
Backups often represent the last resort for recovery when production data becomes unavailable or untrusted, such as in the aftermath of a cyber attack or catastrophic user error. It’s critical to not only back up your critical workloads, but also to secure those backups against subsequent modification and deletion. Backup vault provides secure storage for backups taken by the Backup and DR service, empowering you to confidently achieve the protection your organization requires. 
Backup isolation: logically air-gapped
Backup vault data is stored in a Google-managed project and is logically air-gapped from your self-managed Google Cloud project. The underlying backup vault resources are not visible or accessible to users in your organization, which prevents direct attacks against those resources. Access to backup vault data is provided exclusively through Google Cloud Backup and DR service APIs and UI.
Control and compliance: enforced retention
When creating a backup vault, you can specify that vaulted backups must be strongly secured against modification and deletion until the administrator-specified minimum enforced retention timeframe has elapsed. This layered protection enables you to deliver on backup immutability (security against data modification) and indelibility (security against data deletion) objectives, which are often driven by security initiatives or by regulatory compliance requirements.

Creating a backup vault in Google Cloud console

Reliable and flexible recovery
Vaulted backups are fully self-contained and enable recovery even when the source resource is no longer available. In addition, backup vaults can be created in a project that differs from the source project (e.g., the project where a protected Compute Engine VM is running), thus ensuring that backups remain accessible even if the source project or resource is no longer present. As a result, you can configure your backup policy to provide strong resilience against source project deletion. This supports immediate recovery of production applications to pre-existing or newly-created projects, including recovery into projects configured as isolated recovery environments (IREs) for pre-recovery testing/forensics in the aftermath of a cyber attack.
The backup vault feature is available today in preview and will be generally available in the coming months. It supports protection for Compute Engine VMs, VMware Engine VMs, Oracle databases, and SQL Server databases.
Leverage fully managed, centralized backup management
Customers often ask for a simple, self-serviceable, and infrastructure-free backup offering designed for cloud workloads. To ensure that vital operational aspects are not impeding the agility sought by businesses, customers are seeking a more flexible model that empowers the app developers to back up their VMs while allowing the central backup team to retain governance and oversight.
Our new centralized backup management experience offers simplicity through a fully managed service that makes data protection straightforward, and delivers an integrated, developer-centric, self-service model for app developers.
Protect your mission-critical Compute Engine VM data into backup vaults
With initial support for managing Compute Engine VM protection, the new fully managed experience makes setting up your backup as easy as 1) creating a backup vault (storage), 2) defining your backup plan (schedule), and 3) starting the protection of your VMs. This user-friendly approach eliminates the need for complex configurations, allowing you to focus on your core operations without worrying about backup management.

Empowering application owners: direct integration
Platform admins (and/or app developers) now have the power to back up Compute Engine VMs through an integrated experience during VM creation. This feature empowers teams to take control of their own backup strategies directly from the VM creation process, streamlining workflows and reducing the administrative burden on central backup and IT teams. By integrating backup tasks into the VM provisioning process, you ensure that your data protection policies are consistently applied from the outset. They are integrated with Google Cloud Identity and Access Management (IAM) giving admins flexibility and control.

Centralized governance, monitoring and reporting
The backup service enhances both governance and oversight by offering centralized control over backup policies while allowing application owners to manage their own backup tasks. This dual-layer approach ensures consistency and compliance across the organization, striking the right balance between operational flexibility and centralized control.
To further strengthen data protection, the solution provides comprehensive monitoring and reporting capabilities:

Scheduled backup jobs and restore jobs: Track the status of scheduled backup and restore jobs to ensure they are running as expected. Monitor job success, failure, and progress through a centralized dashboard.

Customizable reports: Generate detailed reports on failed and skipped jobs, protected resources, compliance, storage usage, and more. Tailor these reports to meet your specific needs and gain valuable insights into your backup environment.

Alerts and notifications: Set up alerts and notifications to stay informed about critical backup events. Whether it’s a failed job or other important updates, you’ll receive timely notifications to take appropriate actions.

Ease of automation: Integrate with your existing systems for at-scale protection
Automation is key to efficiently managing cloud resources, and our new offering integrates with your existing VM management tools. Whether you’re using gcloud CLI, APIs, or Terraform, the backup solution facilitates easy integration into your automation workflows. During the preview, you’ll be able to access and experience the offering through both the UI and gcloud CLI to protect Compute Engine VMs. When the offering becomes generally available, you’ll have access to APIs and Terraform, enabling you to integrate backup operations on top of existing infrastructure as code and incorporate them into your broader VM management strategies. This capability ensures that your backup processes are not only effective but also optimized within your existing infrastructure.
You can programmatically create and back up Compute Engine VMs with just a few simple commands, as shown below.

code_block